A service organization's system description includes controls performed by a subservice organization (e.g., a data center). The service auditor decides to use the 'carve-out' method. What does this imply for the service auditor's report?

Answer options:

The service auditor must test the controls at the subservice organization.

The subservice organization's controls are completely ignored and not mentioned.

The service auditor's opinion does not extend to the controls at the subservice organization.

The service auditor issues a qualified opinion due to scope limitation.

How to approach this question

Carve-out = Cut it out of the opinion. Inclusive = Include it in the testing and opinion.

Full Answer

C.The service auditor's opinion does not extend to the controls at the subservice organization.✓ Correct

The carve-out method excludes the subservice organization's controls from the service auditor's testing and opinion. The description identifies the services provided, but the controls are not tested by the primary auditor.

Common mistakes

Thinking carve-out means the controls don't matter. They do, but the user must get assurance elsewhere (e.g., the subservice org's own report).

Question 30 All questions Question 32

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →